[JIRA] (JENKINS-15213) email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security
Slide-O-Mix commented on JENKINS-15213 email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security Groovy Postbuild's security is easily bypassed, I can add imports at the top of the post-build script and access the Jenkins/Hudson instance all I want, even with the security enabled. I need to research this more, something along the lines of a sandbox if something like that exists. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-15213) email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security
Slide-O-Mix started work on JENKINS-15213 email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security Change By: Slide-O-Mix (11/Dec/12 2:21 PM) Status: Open InProgress This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-15213) email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security
Slide-O-Mix commented on JENKINS-15213 email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security I've decided to use the groovy sandbox to disallow interaction with the Jenkins instance when security is enabled for the pre-send script. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-15213) email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security
SCM/JIRA link daemon commented on JENKINS-15213 email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security Code changed in jenkins User: Alex Earl Path: src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java src/main/java/hudson/plugins/emailext/ExtendedEmailPublisherDescriptor.java src/main/resources/hudson/plugins/emailext/ExtendedEmailPublisher/global.jelly src/main/webapp/help/globalConfig/security.html http://jenkins-ci.org/commit/email-ext-plugin/062f768561cb0e9b64331b8a43a2820d52971751 Log: Fix JENKINS-15213 Allow administrator to enable security for pre-send scripts. This is a breaking change for current pre-send scripts. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-15213) email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security
Slide-O-Mix commented on JENKINS-15213 email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security Need to have a new LTS released which fixes the readonly textarea issue. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-15213) email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security
Daniel Beck
created JENKINS-15213
email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security
Issue Type:
Bug
Affects Versions:
current
Assignee:
Slide-O-Mix
Components:
email-ext
Created:
18/Sep/12 10:43 AM
Description:
The ability to run a script prior to sending email was introduced in email-ext, a plugin with 10k+ installations, version 2.22 for JENKINS-12421.
This allows users to exploit their job configure privilege for a single job to gain access to all of Jenkins, circumventing any security measures.
Steps to reproduce
1. In project based matrix security (most severe permissions issue), give "User" overall read permission. Create job "Job" and give read/configure/build permissions to "User"
2. Log out and back in as "User"
3. Configure "Job" to send email-ext (upon success).
4. Set the pre-build script to e.g. "Hudson.instance.doQuietDown()" or "Hudson.instance.projects.each { it.disable() }"
5. Start a build
Result
Jenkins is quieting down, or all projects have been disabled, depending on the script. Everything else is possible as well.
Notes
This feature cannot be deactivated, like Groovy Postbuild's "restrict access to internal objects", or used in a safe way by privileged users only, like Groovy's requiring administration permissions for adding or editing Groovy System build steps.
This issue is identical to SECURITY-35 of June 23rd. Maybe it will get a better response as a public issue.
Environment:
Since 2.22, including 2.24.1
Project:
Jenkins
Priority:
Major
Reporter:
Daniel Beck
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-15213) email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security
Slide-O-Mix commented on JENKINS-15213 email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security Thanks for bringing this up, most devs don't get copied on SECURITY issues, so that's why it hasn't been looked at. I'll at it soon. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira
[JIRA] (JENKINS-15213) email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security
Slide-O-Mix commented on JENKINS-15213 email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security Yes, in fact I don't even have access to SECURITY-35, so it would have never been seen. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira
